To use Cyware you must have cookies enabled. By Registering or Signing in, you agree to our Terms and Privacy Policy. You can also signup using Google Account. We will not use your credentials to import contacts or post anything on your account without your permission.For more info, please see Login FAQ.

Fancy Bear’s new campaign targeting governments across Europe and South America

Although APT28 has been active since 2007, the group’s activities first came to light in 2016, when it orchestrated attacks against the US Democratic National Party during the presidential election.

The threat group has lately become more covert, targeting various governments and military organizations.

The Russian hacker group APT28, aka Fancy Bear, Sednit, Pawn Storm, and Swallowtail, has been covertly conducting attacks against governments and military organizations across Europe and South America. Although APT28 has been active since 2007, the group’s activities first came to light in 2016, when it orchestrated attacks against the US Democratic National Party during the presidential election.

Following the 2016 presidential election, APT28’s activities were widely reported on by the news media and security experts. Although it appeared that the group went dark shortly afterward, new research suggests that the group just got more covert.

According to security researchers at Symantec, who uncovered a new APT28 campaign, between 2017 and 2018, the hackers targeted an Eastern European embassy, a renowned international organization, as well as governments and military organizations across Europe and South America.

Fancy Bear connected to Earworm

Symantec researchers also found a connection between Fancy Bear and another threat group known as Earworm (aka Zebrocy). In comparison to Fancy Bear, Earworm has only been active for a relatively short period - two years - and is not considered to be a highly sophisticated cyberespionage group.

“During 2016, Symantec observed some overlap between the command and control (C&C) infrastructure used by Earworm and the C&C infrastructure used by Grizzly Steppe (the U.S. government code name for APT28 and related actors), implying a potential connection between Earworm and APT28. However, Earworm also appears to conduct separate operations from APT28 and thus Symantec tracks them as a distinct group,” Symantec researchers said in a report.

Malware used

In their latest campaign, Fancy Bear hackers were found using their custom malware Seduploader and XAgent to conduct basic reconnaissance on targeted systems and steal data. However, the Kremlin-linked hacker group has also continually upgraded its tools. For instance, XAgent was originally a Windows malware, but now contains a Mac version of the malware also exists.

In addition to using its own custom hacking tools, APT28 may also be using Earworm’s malware. Earworm is known to use two malware variants - a downloader and a backdoor.

While the downloader is capable of conducting basic reconnaissance and downloading additional malware, the backdoor is capable of taking screenshots, executing files and commands, uploading and downloading files, and more.

“It is now clear that after being implicated in the U.S. presidential election attacks in late 2016, APT28 was undeterred by the resulting publicity and continues to mount further attacks using its existing tools,” Symantec researchers said. “After its foray into overt and disruptive attacks in 2016, the group has subsequently returned to its roots, mounting intelligence gathering operations against a range of targets. This ongoing activity and the fact that APT28 continues to refine its toolset means that the group will likely continue to pose a significant threat to nation state targets.”

Who we are

Cyware is a first-of-its-kind, comprehensive cyber situational awareness platform, designed to help you stay informed about the latest happenings in the cyber world with expertly curated news stories and updates.

Our Technology

Let IBM's Watson Find the Right News For You

The cyber threat landscape is changing rapidly, and cybersecurity news has claimed its spot on the front pages in recent months. It's not easy to find the right information from tens of thousands of cyber news articles and feeds published every day. Our machine learning based curation engine brings you the most relevant cyber content based on your needs.

Receive Daily Cyber News in Your Inbox

From the latest cyber security trends and innovations to new malware, vulnerabilities and threat intelligence, we bring you the most up-to date and relevant cyber updates and news alerts.